Great Wifi on the cheap: Asus RT-N12 with DD-WRT for dual Wifi

If you have friends with gadgets, they're always asking for your WiFi, and if you're like me, you want to give them internet access but you don't (or you really shouldn't) want to give them access to your internal systems. You may also not want them to have full leeching power on your internet pipe either. That second part may not be as important to you, but you should at least consider it... :)

After being frustrated with the lousy quality of the ISP provided (especially the Westell variety) WiFi routers, I decided to give DD-WRT a try. My research pointed me in the direction of the Asus RT-N12 router since it's very well supported by DD-WRT and it's very cheap: less than $40 shipped from NewEgg.

My setup is probably more complex than most, but it still applies to the typical home setup:

• An internal system that serves internal DHCP, DNS, and external SSH/SOCKS proxy
• An ISP provided internet router with DHCP disabled.
• A WiFi-N Access Point (AP) on the A-band (5GHz)
• A WiFi-N AP on the B/G band (2.4GHz)

With the exception of the external SSH server and SOCKS proxy, a typical home setup using an ISP supplied WiFi router would play all of those roles, which is fine. In my case, what I want to do is replace the B/G 2.4 AP with the DD-WRT unit that would provide wireless access to the internal network on the B/G/N band, plus create a separate password-protected SSID for friends with a completely different IP range than the internal network, and with public DNS servers. The end effect being that devices connected to the "friend" band would have internet access, but would be able to access the internal systems. Also, the 'friend' access network would be capped at 1.5 Mbps (DSL speed), which is more than adequate for the usual e-mail, Facebook, etc. access. The other benefit of this is that I would not have to give my internal WiFi access password to anyone, and can change the 'friend' password at any time without having to re-do the internal systems.

Step 1: Install DD-WRT on the router


The DD-WRT wiki has plenty of information on how to do this, but essentially it comes down to:

1. Download the DD-WRT firmare for your router (I chose NEWD-k2.6-mini generic)
2. Download the tools from Asus
3. Set the router in recovery mode
4. Use the Asus recovery tool to install DD-WRT

Two important notes:
(1) - It is recommended that you use Internet explorer for the initial setup. I don't know why, but that's the recommendation.
(2) - Most internal home IP ranges start with either 192.168.0 or 192.168.1. If yours is the latter, you will need to make some (temporary) changes to your IP setup. The Asus router defaults to 192.168.0.1, so make sure the PC you are using to set up the router is set to a fixed address like 192.168.0.10. On a PC, the steps are pretty simple:

From the "Network and sharing center", select your LAN connection, then click on the Properties button:

then, select the IPV4 protocol and click on properties:

Change the settings from your default (probably this):

to look like this:

Click Ok until all the property windows are closed.
Now, connect your router and follow the wiki instructions to start it in recovery mode to you can install the DD-WRT firmware.

Step 2: Configure the Router for the internal network
Note: I like the concept of using the unit as an access point rather than a router, simply because I'm happy with my current router. These instructions are for an AP setup. If you rather use the unit as a router, then consult the wiki. The unit's mode (AP or router) is not important for the dual WiFi setup.


The first thing you need to do is set up a root password. the username is root, and pick your password. Then save the changes. Now, configure your IP address setup to match your default network. Click on the Setup tab and set the Wan connection type to disabled.

My network is 192.168.1 based, so I gave mine a high-enough number:

Also, make sure the gateway and local DNS points to your router's IP. Note: my local DNS is not my router. That is why they don't match in the picture.

Enable the DHCP server on the unit, but set it to have zero maximum DHCP users. On the server configuration, put any number you want for the start IP address, and set the static DNS entries to your router's IP address. You will probably need just one, unlike me. It is also important to enable dnsmasq for DNS and DHCP.

(Note: As of 2011-Sep-08 This "no dhcp" lease setup is not working 100% reliably for me. I will post an update when I find a way to resolve it)

Another important side note: If you plan to use this as your actual DHCP server, then do not use zero for the Maximum DHCP users box. 50 is probably more than adequate. In this scenario, I would select a start IP address of maybe 128.

Also, I strongly recommend you set up a time server:

The reason you need the DHCP server enabled (even though in my case it will not provide any addresses) is because you need a DHCP server set up for the 'friend' WiFi network. If the main DHCP server is not enabled, the secondary one will not work either. Click on the "Apply Settings" button, then the Save button.

A very important note: If you changed the IP settings to match your current network, you will need to reset your LAN setting back to the defaults (DHCP). Look at the first three pictures above.

Now, set up your private wireless network.

Select the Wireless tab at the top of the page. in the Basic Settings, set your wireless mode to AP. Give your internal WiFi network a name. I picked "PrivateWifi" for this example:

If your page does not show a virtual interface, click on the Add button, then give it a name "FriendWifi" for this example. Then (you guessed it) click on Apply settings and then on Save.

Now, secure your networks:

Go to the "Wireless Security" tab and select WPA2 Personal mixed, TKIP+AES, then your password. Repeat for the 'friend' network, but use a different password! :) Do the now familiar Apply + Save.

You should try to connect to your private WiFi network and make sure you can get out to the internet, etc. The public WiFi network is not yet ready to be tested. We will do that one later.

Step 3: Configure the Router for the "friend" network.

In order for this to work, the key portions needed are:

1. Create a network bridge and assign it to the virtual interface.
2. Give the bridged network a completely different IP network number than your internal network.
3. Enable DHCP for the bridged network with DNS settings that have no relation to your internal network
4. Set up a firewall rule so that the bridged network can actually get out to the internet (very important!)

Select the Setup tab, then select the "Networking" sub-tab. On the Bridging section, click on "add" to create Bridge 0. Set the IP address to something other than what you're using. For example I selected 192.168.10.1

Use 255.255.255.0 for a netmask. Now, assign the bridge to the virtual wireless (wl0.1):

On the Port setup section, enter the same IP address and netmask you used in the "Create Bridge section":

On the DHCP section, enable a DHCP server for the bridged network (br1):

The example above is configured to provide a max of 10 simultaneous IP addresses on the friend network, starting with IP address 192.168.10.50. You can tweak those numbers as needed. I haven't found myself needing more than 10 friends to connect at the same time, so that max was good for me. 

To setup the DNS on the friend network, pick a public DNS server, such as Google or OpenDNS. I picked Google. The DNS servers for my location are 8.8.8.8 and 8.8.4.4. Do a search for "Google dns" to find out what addresses are correct for you. Mine will work, but they may not be the best servers for your location.

To accomplish this, go to the "Services" tab to enable the DNSmasq service and feed it some parameters, like this:

Since you cannot cut and paste the text from the image, here it is:

interface=br1
dhcp-option=br1,6,8.8.8.8,8.8.4.4,4h


What that means is that the DHCP server is for the bridged lan (br1), with dns servers 8.8.8.8 and 8.8.4.4 and each IP has a max 4 hour lease time. Now, do the usual apply+save steps.

At this point, you should be able to connect to the friend network and verify that you get an IP address that starts with 192.168.10. (if you used my settings verbatim). If you click on the connection details, the DNS servers should be 8.8.8.8 and 8.8.4.4 (again, if you used my settings), and your gateway should be the IP address of the unit (the first thing you did after installing DD-WRT). Note that you will not be able to get out to the internet just yet.

There is one final step to do: the firewall. Since you need a custom rule to ensure the bridged traffic can get to the internet, you have to manually enter the rule.
Select the "Administration" tab, then the "Command sub-tab". In the command box, enter these two lines:

iptables -I FORWARD -i br1 -d `nvram get lan_ipaddr`/`nvram get lan_netmask` -m state --state NEW -j DROP 
iptables -t nat -I POSTROUTING -o br0 -j SNAT --to `nvram get lan_ipaddr` 

Then, click on "Run commands" to test that you can now access the internet. Once you're satisfied, click on "Save firewall". There are more complex examples in the wiki page. I think this setting is probably the most suitable for you. What the rules are doing is allowing the bridge traffic to flow through the physical (private) connection, and blocking any traffic from the public network going to the private network.

At this point, you can save your settings somewhere safe, and you're pretty much done. Congrats!

Step 4: Extra credit


This part is optional, but I would recommend it: Limit the amount of bandwidth the public network can use. The benefit of this is that while you're being a good friend by sharing your 'net pipe, you are also ensuring that your private systems have enough available bandwidth at all times.
In my scenario, I chose to cap the download speeds at DSL speed (1.5mbit). I have a FIOS connection, so that amount is a small percentage of my available speed. If you happen to have only a DSL line, then drop the value accordingly. I would make sure you cap the public network at no more than 50% of your available pipe.

If you're not sure how fast your 'net speed actually is, do a search for "internet speed test" or try www.speedtest.net. Use those numbers to determine the values you use for the uplink and downlink entries.

So, here is my setup:

On the Nat/QoS tab, select the QoS sub-tab. On the QoS settings, enable QoS for Lan & Wlan. Set up your uplink speed to (again) no more than 30% of what's available to you. Set up your downlink speed to no more than 50% of what you have.
Friends care primarily about e-mail, facebook, web, etc. None of those services require fast uplink speeds. 

On the "Netmask Priority" section, there should be two IP/mask entries: One is your private network, and the other is the friend network. If one or more of the entries are missing, add them using the entry fields and click on the "Add" button. Set your private network entry with an Exempt priority, and your public network with a Bulk priority.

As always, do the Apply+Save button combo.

I know it looks like a lot, but it is not. you can have the whole thing set up from unwrapping the unit to configuring it in less than 20 minutes. There are a few gotchas along the way, but I don't think it is too bad. My setup took longer because of my unorthodox setup, and because I wanted to have a fixed bandwith for the public network.

Enjoy!

Windows Phone 7: My first impression

I like the old windows mobile platform and I have very good hopes for the WP7 platform. I took the plunge and bought a Samsung focus. My first impressions are promising, but I feel MS took their mantra of a clean start way too close to heart and (to a point) left the early adopters out in the cold in some key areas.

I would not call myself a fan boy: I would not go to blows with anyone about their gadget decisions. I believe in the mantra of "do what works best for you". For me, it was windows mobile. I think just about every smartphone I had has been a WM device: From the clunky old Compaq/HP ipaq to the my current HTC tilt2 (and two other HTC devices in between). I have been pretty happy with them in the way I can control my information, and despite the slowness and the occasional lockup, they've been good to me.

None of the aforementioned devices translate well into the modern smartphone model, and as such, they can't compete, nor can they survive. So, I understand and welcome the MS move of defining a brand new paradigm for their mobile platform. I think they did a very good job on the rev 1.0 of the platform. The problem-for me at least-is that this new way of doing things requires me to give up a lot control in exchange for what seems to be very little, and I am not sure that I'm ready for that.

For some people, putting all of you information in the public cloud doesn't seem to be a concern. It is to me, and this is my one major peeve with the paradigm. I don't mind the live id connectivity concept. Works for the android platform, but even they have the ability to sync with Outlook! What I'd like is the ability to control (easily) what the device chooses to do with MY data. What I'd really like is the ability to not publish anything unless I want to. One example of this is a simple one: the "Me" aspect of the phone. If I attach a picture it gets published to my live account, and there's not a damn thing I can do to control that. Even with the account settings set to manually sync. My recourse is to log into the live account and get rid of the picture.

I may sound zealous, but I treat other people's information as very private, and since I would not like others to put my information in harm's way, I would like to return the favor. So for now, my only mitigation is to limit the amount of information I keep on the device.

There are plenty of articles on the 'net discussing the issues the platform and with the people hub concept in great detail. I won't cover them again. So far, the only mitigation for this is to use exchange. For a single individual, that's a bit of overkill! The icing on the cake, so-to-speak, are the many documented security problems with hotmail and windows live over the years. I simply cannot trust the platform to keep my stuff secure.

Here's another one: notes. The WP7 answer to notes is the OneNote app, which is very nice. The problem? there is no way for me to convert the many notes I have into OneNote versions! I'd have to suck it up and re-enter everything either on the device itself, or put the notes in the cloud and sync them that way. Again: asinine.

I'm a developer, so I'd be happy with the ability to cook up a solution for myself. Alas, I can't do that either because there no API to connect to, or to provide the service to the device. Similarly, there are no public developer APIs to access basic services like a TCP/IP stack (That's why services such as Skype are not available at the moment), and no native access provides a consistent development platform, but it also cripples the ability for us-the developer portion of early adopters-from producing the apps could mitigate the issues and bring the users to the platform. This can easily be solved, but it requires the cooperation of the MS crew to get there.

At this point, I want to love device, but I don't. I am not even sure if I'll use it on a day-to-day basis. I know they needed to get something out that covered a lot of people's needs, but I think there were serious holes in the initial implementation that are going to leave some bad impressions on the likes of us. Let's hope for their sake we make the minority.

Later,